1
Running head: PATIENT DATA
15
Running head: PATIENT DATA
Protecting Patient Data
Walden University
Since the inception of recording-keeping medical records have earned a place in society where the population of medical data from each individual patient is essential not only to trend progression but also as a general record-keeping system of a patients overall health. Accordingly, a patient file tends to generally contain: Hospital summaries (admittance, discharge, and follow-up care), radiological images, consultation reports, list if medications, allergy information, physical exams, etc. However, certain things such as the exchange of information between lawyers, doctors, and medical indemnity providers tend to be excluded based on current law and should not to be taken as part of a patient’s medical record (Ken, 2009). As such, patient records tend to contain a significant amount of sensitive information that must be safeguarded thus the need to provide proper safety and security measures are essential to patient care.
Since compilation, storage, and access of information is such an important part of patient care it is essential to provide proper safeguards to prevent unauthorized access such as steel enclosures with locks for those still utilizing paper records or complicated encryptions methods for those utilizing electronic medical records. However, with the enactment of newer laws and compliance measures of meaningful use the value of a safe and secure medical record system should not be overlooked. Thus, a comprehensive record-keeping system that is secure and fulfills the needs of patients, physicians, various other health care providers, insurance billers, and other third party entities is of the utmost importance. After analysis of United General’s policy manual some of the proposed changes below could a comprehensive update that is able to fulfill all requirements:
· Records should be kept in a secure electronic format that is legible, easily understood, written with American Medical Association approved acronyms and/or abbreviations, and easily transmissible from one organization to another.
· The medical record, at a minimum, must contain a thorough history, physical examination findings, tests and/or procedures performed on the patient along with their results, possible consultations, assessment and plan, medication history, and any other medically relevant information that allows a comprehensive compiling of patient-specific medical data.
· The medical record should include all possible discussions regarding any proposed procedures and/or the treatment options, along with risk to benefit analysis, in order to clearly demonstrate that all options were presented to the patient and they were allowed to choose without prejudice or cohesion.
· The medical record must safeguard, via encryption methods, files of any written consent issued by AND to the patient for any and all medica ...
1Running head PATIENT DATA15Running head PATIENT DATA.docx
1. 1
Running head: PATIENT DATA
15
Running head: PATIENT DATA
Protecting Patient Data
Walden University
2. Since the inception of recording-keeping medical records
have earned a place in society where the population of medical
data from each individual patient is essential not only to trend
progression but also as a general record-keeping system of a
patients overall health. Accordingly, a patient file tends to
generally contain: Hospital summaries (admittance, discharge,
and follow-up care), radiological images, consultation reports,
list if medications, allergy information, physical exams, etc.
However, certain things such as the exchange of information
between lawyers, doctors, and medical indemnity providers tend
to be excluded based on current law and should not to be taken
as part of a patient’s medical record (Ken, 2009). As such,
patient records tend to contain a significant amount of sensitive
information that must be safeguarded thus the need to provide
proper safety and security measures are essential to patient care.
Since compilation, storage, and access of information is such an
important part of patient care it is essential to provide proper
safeguards to prevent unauthorized access such as steel
3. enclosures with locks for those still utilizing paper records or
complicated encryptions methods for those utilizing electronic
medical records. However, with the enactment of newer laws
and compliance measures of meaningful use the value of a safe
and secure medical record system should not be overlooked.
Thus, a comprehensive record-keeping system that is secure and
fulfills the needs of patients, physicians, various other health
care providers, insurance billers, and other third party entities is
of the utmost importance. After analysis of United General’s
policy manual some of the proposed changes below could a
comprehensive update that is able to fulfill all requirements:
· Records should be kept in a secure electronic format that is
legible, easily understood, written with American Medical
Association approved acronyms and/or abbreviations, and easily
transmissible from one organization to another.
· The medical record, at a minimum, must contain a thorough
history, physical examination findings, tests and/or procedures
performed on the patient along with their results, possible
consultations, assessment and plan, medication history, and any
other medically relevant information that allows a
comprehensive compiling of patient-specific medical data.
· The medical record should include all possible discussions
regarding any proposed procedures and/or the treatment options,
along with risk to benefit analysis, in order to clearly
demonstrate that all options were presented to the patient and
they were allowed to choose without prejudice or cohesion.
· The medical record must safeguard, via encryption methods,
files of any written consent issued by AND to the patient for
any and all medical treatment including but not limited to
surgical and/or medical procedure(s).
· The medical record should document ANY type of a patient
compliance including but limited to refusal of consent to
undergo treatment such as testing, medical and/or surgical
procedures, vaccination, and ingestion of medication. Any and
all refusal against medical advice MUST be documented.
· All telephone conversations in which medical information is
4. discussed shall, to the proper extent of the law, be monitored
and/or recorded for quality and training purposes to ensure
adequate record keeping.
· All information pertaining to allergies (food and/or medicinal)
or any other conditions that may demand special attention or
bring harm to a patient shall be documented in the medical
record.
· The medical records should incorporate details of any clinical
opinion reached upon by the medical practitioners. The records
should also be comprehensive with the follow-up
recommendations and the compliance should be monitored.
· The medical record should have provisions that include
nightly reconciliation of data that has been inputted throughout
with in-session automatic saving of information that is being
typed and/or uploaded to ensure that not pertinent data is lost.
An additional security provision calls for monthly testing to
ensure the system is not vulnerable to security threats and have
a back-up access in the vent of a primary system failure.
· The medical record shall employ security protocols that not
only limits unauthorized access but alerts, in real-time,
unauthorized access to the patient records and secure areas of a
building in order to reduce any potential loss in secure
information.
While the proposed information above is not a comprehensive
list it does serve to provide as a starting point regarding the
restructuring and importance of United Generals agreement not
only to safe guard medical information but also be HIPPA
compliant. According to Thakkar & Davis (2009), the purpose
and importance of safe and secure health records allows for a
legalized form of record keeping that keeps track of decision
making in patient care that helps improve quality and safety by
containing patient information in a centralized source. Thus, the
proposed changes below help identify the importance and
purpose of proper medical record keeping along with keeping in
compliance with HIPPA:
· HIPPA serves as an ultimate authority in setting national
5. standards that protects and respects the privacy of an individual
pertaining to how and when their medical information is
accessed
· HIPPA compliance to safeguard a patient’s health information
is to be adhered by limiting, within reason, the unnecessary
sharing and usage of information along with utilizing accessed
information for its specific intended purpose(s).
· Agreements will be established with service providers, who
can execute tasks on behalf of the patients, in a secure manner
while ensuring that patient information is not disclosed to those
who are not authorized to be in possession of such material.
· Develop and implement a training program that teaches
individuals to not only safeguard patient information but also
continuous monitoring of who accesses patient information to
determine how that information will be used.
· Establish protocols that detect possible systemic breeches. In
addition, develop a step-wise approach that gathers information
in a manner that can inform a patient about a data breech.
· Electronic medical records help improve the level of
involvement a patient has regarding their medical decisions.
Active involvement in decision-making allows patients to track
and manage their health care needs while taking into account
ultimate end goals.
· A medical record allows for a complete legal and business
accord that documents all facts of medical care even when
multiple providers are being used. This documentation not only
gives patients piece of mind because it enables patients to keep
track of their medical care.
· Electronic medical records allow the dissemination of
information, especially in emergency situations, within a
moments notice ensuring that that the patient receives the best
care possible.
· Digital records allow a reduction in administrative cost
because the organization of clinical documents are in a digital
format that allows the searching of information relatively easy.
In addition, a digital format allows for increased efficiency
6. especially when it comes to prescription refills, scheduling and
automatic reminders, and referrals.
· Electronic records allow for a comprehensive familial
managed care by assisting caregivers the ability to track,
update, and interpret information especially in situations where
most family members see the same physician (Kaelber, 2008).
While the collection, storage, and retrieval of patient
information is essential for both the physician and patient,
concerns for those with proper authority with access along with
securely storing that information is of great concern. Based on
the situation that occurred with United General Hospital,
several ramifications along with proposed remedies to prevent
compromises in medical records will be suggested. Most of
these suggestions can apply to both electronic and paper
records, however, electronic records will be the main focused
since federal law dictates that an electronic format will comply
with most facets of health care reform.
· Both paper and electronic formats are subject to unauthorized
access and present a liability for the physician and/or medical
care facility thus is important to safeguard information.
Regarding electronic medical records, they are subject to
intended or unintended destruction/loss, inappropriate data
entry/corrections, and errors arising to transcription. To remedy
this situation one must take care to ensure that a master list is
consistently updated to ensure those with proper access retain it
and those who lose those privileges no longer have access. All
of this could be linked to the individual identification cards. In
addition, a complex security algorithm would keep files safe
because it would require extensive decryption methods.
· Paper formats would also be subject to unauthorized access a
bit easier than electronic records. In addition, they are subject
to being lost, stolen, damaged, and easily redacted since all it
requires is access and a pen to change information. Paper record
keeping is very inefficient since it requires special places for
them to be held along with debilitating need for constant
consumption of paper. The inefficient method of data gathering,
7. storage, and retrieval make this method have an astronomical
labor cost because it requires a team a significant amount of
time to ensure proper protocol is followed. However, since this
method is being phased out in order to comply with new federal
laws the focused has shifted into making electronic records the
safe mainstay option for all medical facilities.
· While electronic medical records have the potential to
interfere with patient interaction, thus preventing establishing a
solid and trustworthy bond, several steps could be taken to
ensure the patient does not feel neglected. Once should
interview the patient, write down relevant facts on a sheet of
paper or memorize them, then seek a computer after the visit to
formulate a comprehensive medical record.
· Unauthorized access to both electronic and paper medical
records is of great concerned, however, just as mentioned
previously the more barriers that are put into place such as
complex security algorithms for digital formats and locking
paper documents in a steel enclosure make it rather difficult for
someone looking to steal information they are not privileged to.
Now, based on the information provided, one can easily deduce
that security should be of the utmost concern when dealing with
sensitive information that can be found in a patient’s medical
record. A private practice and/or medical facility should always
adhere to standards that not only prevents unauthorized access
to medical records but ensure that the hospital is diligent in
training their staff to not disseminate any information whether
its of a close family friend, relative, or complete stranger.
Privacy and security should be a top priority along with patient
care. Thus, the creation of policy within the hospital setting that
complies and/or mirrors that of Health Insurance Portability and
Accountability Act will be elucidated below as follows:
· The development of policies and procedures that dictate
proper storage and security methods for onsite and offsite
retrieval methods for medical records for those who are
authorized to do so.
· Maintaining an up-to-date list, that is reviewed weekly, to
8. ensure those who active within the hospital system have proper
access to material that is needed to effectively do their job
while inactivating those who no longer have a relationship with
the hospital.
· Proper labeling of files and related information to ensure
proper storage and retrieval of records while ensuring that
unauthorized access is prevented.
· The development and implementation of automatic back-up
files that enables authorized users to focus on their work while
having peace of mind knowing the information is not only being
automatically saved but also backed-up in the event of primary
total system failure.
· Ensuring that third-party vendors are consistently meeting all
protocols of safety and proper management of information
through quarterly meeting that allows concerns to be voiced and
suggestions being made.
· Creating a custom unit that ensures the needs of the
organization are bing met, such as policies and procedures,
while addressing requests to modify components of the
electronic medical record to add/upgrade encryption capability,
amount of available storage, and further analysis of metadata to
extrapolate vital information (Wafa, 2010).
The invaluable experience of training allows for those to gain a
skill in which they are either not proficient at or serves to
remind those who are experienced to become current with any
proposed changes so they are found to be in compliance with
policies and procedures. Thus, the following topics serve to
inform staff on the proper methods of accessing and disclosing
patient information:
· Information and Security confidentiality should be at the
forefront of patient care especially when involving a patient’s
medical record. Improved security measures decrease the
amount the hospital needs to spend (reduced cost of possible
litigation) while ensuring healthier outcomes and increasing
patient trust in the organizations ability to keep records safe.
Accordingly, increased patient trust allows for an increased
9. compliance thus allowing for a more cohesive approach into an
informed decision regarding specifics of their medical care. In
addition, it is important create mock simulations that
demonstrate what impact data breeches could have on the
organization and patients since they could potentially tarnish
the reputation of the medical organization as well as having
lasting emotional and financial impacts to the patient.
According to the United States Health and Human Services
(n.d), a poorly performing organization that lacks proper safety
protocol measures exacerbate the vulnerability of information
leaving exposed to cyber attacks, which could maliciously use
information and destroy both the patient and hospitals
reputation.
· Compliance with HIPPA statues serves to protect not only the
well being of the patient but also all of the information that is
collected from them. Medical practitioners have a responsibility
to safeguard patients sensitive information and provide the
highest quality of medical care. At a minimum, demographic
information regarding past, present, or the future physical or
mental health should be safeguarded along with medication
history.
· All personnel that provide medical care must not only adhere
to HIPPA but must also comply with any changes that rise to
ensure the safety and quality of patient of patient care is never
compromised. As such, all providers should understand certain
standard financial and administrative proceedings that could
affect patient care and ensure that everything is being done to
safeguard patient information.
A lawsuit involving one of the former patients United General
use to provide medical care for enables us to analyze the level
of oversight when it came to patient confidentiality and
security. As such, a violation of patient privacy was noted when
information was not only accessed but also distributed in a
manner that was not consistent with hospital protocol and
HIPPA compliance. United General failed to comply with
regulations in protecting the privacy and security of health
10. information, thus violating the rules set forth by HIPPA. This is
a serious violation that has opened United General to
governmental inquiries as well as to federal lawsuits. Now,
based off that notion, some areas that breeched HIPPA
compliance will be analyzed:
· Collection, Use, and Disclosure of patient’s Information:
According to HIPPA, medical care providers should ALWAYS
obtain consent before collecting patient data, when disclosing or
using personal health information with other medical
professionals pertinent to diagnosis, and to whom information
can be discussed with. Just with everything else, federal law
provides exception to the rule and shall be followed
accordingly.
· Security: Medical records, whether paper or electronic format,
shall reside in a safe and secure environment where proper
safeguard procedures have been take to ensure integrity and
confidentiality. Accordingly, medical providers should be
vigilant and conduct monthly or quarterly assessments regarding
access to sensitive information as well as ongoing training
depicting scenarios that dictate responsibilities that one should
have when accessing medical records. In addition, modification
of protocols that ensure all medical professionals understand
that medical records are to be accessed for a legitimate purpose
and take reasonable steps to ensure they are protected from
theft, loss, unauthorized disclosure, and use.
· Storage: A patient record, whether digital or paper format,
should be stored in a secure manner that prevents theft,
unauthorized access, and intended or unintended destruction
and/or modification of information. Care should always be
taken to ensure that a back-up source is always available to
access in the event of catastrophic failure of resources.
The above-mentioned HIPPA analysis is not an all-
encompassing venture that exposed all of the areas needing
attention, however, it does provide a solid foundation in order
to address essential areas of weakness. Thus, it is in the best
interest for United General to develop policies that mimic those
11. established by HIPPA in order to educate medical providers on
the importance of handling and disposing of patient health care
records:
· Patient access to medical records are to be done strictly by the
patient who request them or to a person that have appointed
with their information as long as there is proper documentation
to do so. Additionally, patients may legally access their records
for free but shall pay a fee, in compliance with
state/local/federal law, in order to have their records printed.
All information shall be kept confident unless otherwise
expressed by the patient and state/local/federal law.
· All information must be inputted in a legible manner that is
consistent with American Medical Association standards dealing
with detailing and acronyms. Information must be easily
deciphered when presented to other health care professionals to
ensure there is uniformity in “language” to coordinate medical
care that best serves the patients interest.
· Access to patient medical records shall be accessed by those
with specific purpose and with proper credentials to coordinate
patient care. Those who do access information must take great
care that information is not easily seen and/or access. Medical
professionals accessing patient records shall document each
time the record is being accessed to ensure that proper
accountability is taken by those in possession with sensitive
information. The patient has the ability to deny or consent to
the release of information.
· Safeguarding information shall always be of the highest
concern not only for the best interest of the patient but also for
the medical organization. Secure medical information not only
keeps the patient at peace but also allows the medical provider
and medical care facility to provide the best quality of care
without compromising safety and value.
· All information shall by heavily encrypted against attempted
breech, however, if such an event occurs a full investigation
shall ensue. The patient must be notified and given a full
briefing that includes information regarding the type of
12. information that was taken along with steps in order to rectify
the situation.
Now, based on the present information it is imperative to have
medical personnel trained on the proper protocols to ensure that
each person is HIPPA complaint. Thus, there are several topics
that must be covered to educate them on the handling and
disposal of patient records. Some of which include:
· Types of Protected information: HIPPA dictates that virtually
all facts of patient information is deemed sensitive and requires
diligence when accessing information. Identifiable information
such as race, sex, demographics, and diagnosis should be
safeguarded. The only time patient information s not classified
at “protected” is when it interferes with public safety and other
exceptions deemed by law.
· Who must comply with HIPPA regulations: Everyone who
delivers medical care who may be directly and/or indirectly
involved should be bound to all HIPPA regulations.
Accordingly, health care providers who perform financial and
administrative actions are also held to the same standards as
those providing care.
· Importance of safety and security of patient information: The
security and safety of patient information has a directly
proportional relationship with quality of care. Accordingly,
secured patient information leads to better outcomes and more
satisfied patients. This enables the health care facility to
provide more services and be trusted provider who can be
trusted with all facets of patient care.
Those who are uninformed because they lack proper training or
proper protocols within the training manual have not been fairly
treated because they are misinformed. Thus, it would appear
that blame could be placed not only on the employee but also
the facility that should have ensured that employees receive the
necessary information with complete understanding of what it
entails. It is imperative that United General address the sparse
areas within the manual to update and convey its intended
message. Thus, several of the points below serve to initiate
13. handling and accessing patient records:
· First would be to establish the organizational mission and
value while ensuring that each person understands that a
collaborative effort is needed in order to be compliant.
Emphasis should be placed on the imperative nature of safety
and security regarding patient information. Management should
also provide ongoing training outlining changes along with
potential revisions the organization may implement as
supplement a holistic approach in privacy and security.
· Second would be proper and official documentation of all
findings to ensure that a record exists to validate any claims
that may arise. Documentation allows both the employer and
employee understand what is required from each other and the
moment the other party is not holding up their end of the
contract, documentation of such an event should occur.
· Third would be analysis of existing security measures in order
to understand and predict potential pitfalls where an employee
may lack understanding. The integrity and availability of policy
information must be presented to the employee in a manner
where there is no reasonable doubt regarding what steps should
be taken in order to not only abide by hospital policy but also
those set forth by HIPPA.
· Fourth would be to develop an action plan on behalf of the
employee that involves risk analysis of different scenarios
where the appropriate action plan is selected based on the
identified risk. The action plan should take into account HIPPA
policies with incorporated flexibilities that enables personnel
the ability to focus on the high priority threats as well as the
vulnerabilities.
· Fifth would be to establish firm policies regarding the
meaningful use of information accessed in order to be utilized
for direct patient care. Policies should dictate that information
accessed should be strictly limited to patient care of whom you
are directly involved in.
· Sixth would establish an ongoing monitoring of information
with quarterly updates to ensure all employees are up to date
14. and are equipped with the necessary tools to ensure they
perform their job correctly. Auditing serves as an assessment
tool that serves as a legal documentation regarding who, what,
when, where, and why thing can/need to be done.
The above provided suggestions serve as an excellent
foundation to addresses the potential inadequacies involving the
oversight in the United General handbook. As such, United
General should have developed a role-based security protocol
that enables users specific access to certain aspects of patient
care while restricting other aspects of the medical record.
According to Rupp (2016), role-based security allows for
automatic parameters to be set in order to limit or grant specific
privileges to sensitive information. In this particular case
United General would benefit from establishing a role-based
security access for patient records. The following would serve
as a preliminary measure to establish role-based access:
· Encryption of all sensitive data to be accessed from verified
personnel
· Color-coded ID’s to demonstrate the level of access a specific
medical provider has.
· Quarterly or annual mandatory password change consisting of
alphanumeric values.
· Routine security audits with simulated system threats from
non-authorized users to allow further development of security
protocols
· Implementation of back-ups to ensure access in the event of
primary system failure.
The above presented security measure held aid the medical
facility not only in the development but also implementation of
role-based security access. Thus, security level access can be
further refined into specific department along with job position
type and lastly a ranking list that defines the type of care being
provided with the specific type of access necessary to complete
desired tasks. Thus, the information presented throughout
elucidated many points and provided excellent examples of how
policies can be developed based on the types of situations that
15. can/will be encountered.
References:
Rupp, S. (2016). Keys to maintaining the security of a
practice’s ehr data. Retrieved from
Electronic Health Reporter:
http://electronichealthreporter.com/role-based-access-
control-audit-trails-password-protection-encryption-consent-
keys-maintaining-
security-practices-ehr-data/ on January 27, 2017.
Ken, T. (2009). Patient privacy-the new threats. Physicians
Practice Journal, 19(3).
Accessed on January 27, 2017.
Thakkar, M., & Davis, D.C. (2009). Health information
technology: benefits of ehr and hie: risks, barriers, and benefits
of ehr systems. Retrieved from http://www.kumc.edu/health-
informatics/hispc/for-consumerspatients/risks-and-benefits-of-
16. electronic-health-records.html on January 27, 2017.
Kaelber, D., & Pan, E.C. (2008). The value of personal health
record (phr) systems. AMIA Annual Symposium Proceedings,
343–347.
Wafa, T. (2010). How the lack of prescriptive technical
granularity in hipaa has compromised patient privacy. Northern
Illinois University Law Review. 30(3).
Running
head: PATIENT DATA
1
Protecting Patient Data